Machine learning algorithms will improve security solutions, helping human analysts triage threats and close vulnerabilities quicker. But they are also going to help threat actors launch bigger, more complex attacks.

Defined as the “ability for (computers) to learn without being explicitly programmed,” machine learning is huge news for the information security industry. It’s a technology that potentially can help security analysts with everything from malware and log analysis to possibly identifying and closing vulnerabilities earlier. Perhaps too, it could improve endpoint security, automate repetitive tasks, and even reduce the likelihood of attacks resulting in data exfiltration.

Naturally, this has led to the belief that these intelligent security solutions will spot – and stop – the next WannaCry attack much faster than traditional, legacy tools. “It’s still a nascent field, but it is clearly the way to go in the future. Artificial intelligence and machine learning will dramatically change how security is done,” said Jack Gold, president and principal analyst at J.Gold Associates, when speaking recently to CSO Online.

“With the fast-moving explosion of data and apps, there is really no other way to do security than through the use of automated systems built on AI to analyze the network traffic and user interactions.”

The problem is, hackers know this and are expected to build their own AI and machine learning tools to launch attacks.

How are cyber-criminals using machine learning?
Criminals – increasing organized and offering wide-ranging services on the dark web – are ultimately innovating faster than security defenses can keep up. This is concerning given the untapped potential of technologies like machine and deep learning.

“We must recognize that although technologies such as machine learning, deep learning, and AI will be cornerstones of tomorrow’s cyber defenses, our adversaries are working just as furiously to implement and innovate around them,” said Steve Grobman, chief technology officer at McAfee, in recent comments to the media. “As is so often the case in cybersecurity, human intelligence amplified by technology will be the winning factor in the arms race between attackers and defenders.”

This has naturally led to fears that this is AI vs AI, Terminator style. Nick Savvides, CTO at Symantec, says this is “the first year where we will see AI versus AI in a cybersecurity context,” with attackers more able to effectively explore compromised networks, and this clearly puts the onus on security vendors to build more automated and intelligent solutions.

“Autonomous response is the future of cybersecurity,” stressed Darktrace’s director of technology Dave Palmer in conversation with this writer late last year. “Algorithms that can take intelligent and targeted remedial action, slowing down or even stopping in-progress attacks, while still allowing normal business activity to continue as usual.”

Machine learning-based attacks in the wild may remain largely unheard of at this time, but some techniques are already being leveraged by criminal groups.

1. Increasingly evasive malware
Malware creation is largely a manual process for cyber criminals. They write scripts to make up computer viruses and trojans, and leverage rootkits, password scrapers and other tools to aid distribution and execution.

But what if they could speed up this process? Is there a way machine learning could be help create malware?

The first known example of using machine learning for malware creation was presented in 2017 in a paper entitled “Generating Adversarial Malware Examples for Black-Box Attacks Based on GAN.” In the report, the authors revealed how they built a generative adversarial network (GAN) based algorithm to generate adversarial malware samples that, critically, were able to bypass machine-learning-based detection systems.

In another example, at the 2017 DEFCON conference, security company Endgame revealed how it created customized malware using Elon Musk’s OpenAI framework to create malware that security engines were unable to detect. Endgame’s research was based on taking binaries that appeared to be malicious, and by changing a few parts, that code would appear benign and trustworthy to the antivirus engines.

Other researchers, meanwhile, have predicted machine learning could ultimately be used to “modify code on the fly based on how and what has been detected in the lab,” an extension on polymorphic malware.

2. Smart botnets for scalable attacks
Fortinet believes that 2018 will be the year of self-learning ‘hivenets’ and ‘swarmbots’, in essence marking the belief that ‘intelligent’ IoT devices can be commanded to attack vulnerable systems at scale. “They will be capable of talking to each other and taking action based off of local intelligence that is shared,” said Derek Manky, global security strategist, Fortinet. “In addition, zombies will become smart, acting on commands without the botnet herder instructing them to do so. As a result, hivenets will be able to grow exponentially as swarms, widening their ability to simultaneously attack multiple victims and significantly impede mitigation and response.”

Interestingly, Manky says these attacks are not yet using swarm technology, which could enable these hivenets to self-learn from their past behavior. A subfield of AI, swarm technology is defined as the “collective behavior of decentralized, self-organized systems, natural or artificial” and is today already used in drones and fledgling robotics devices. (Editor’s note: Though futuristic fiction, some can draw conclusions from the criminal possibilities of swarm technology from Black Mirror’s Hated in The Nation, where thousands of automated bees are compromised for surveillance and physical attacks.)

3. Advanced spear phishing emails get smarter
One of the more obvious applications of adversarial machine learning is using algorithms like text-to-speech, speech recognition, and natural language processing (NLP) for smarter social engineering. After all, through recurring neural networks, you can already teach such software writing styles, so in theory phishing emails could become more sophisticated and believable.

In particular, machine learning could facilitate advanced spear phishing emails to be targeted at high-profile figures, while automating the process as a whole. Systems could be trained on genuine emails and learn to make something that looks and read convincing.

In McAfee Labs’ predictions for 2017, the firm said that criminals would increasingly look to use machine learning to analyze massive quantities of stolen records to identify potential victims and build contextually detailed emails that would very effectively target these individuals.

Furthermore, at Black Hat USA 2016, John Seymour and Philip Tully presented a paper titled “Weaponizing data science for social engineering: Automated E2E spear phishing on Twitter,” which presented a recurrent neural network learning to tweet phishing posts to target certain users. In the paper, the pair presented that the SNAP_R neural network, which was trained on spear phishing pentesting data, was dynamically seeded with topics taken from the timeline posts of target users (as well as the users they tweet or follow) to make the click-through more likely.

Subsequently, the system was remarkably effective. In tests involving 90 users, the framework delivered a success rate varying between 30 and 60 percent, a considerable improvement on manual spear phishing and bulk phishing results.

4. Threat intelligence goes haywire
Threat intelligence is arguably a mixed blessing when it comes to machine learning. On the one hand, it is universally accepted that, in an age of false positives, machine learning systems will help analysts to identify the real threats coming from multiple systems. “Applying machine learning delivers two significant gains in the domain of threat intelligence,” said Recorded Future CTO and co-founder Staffan Truvé in a recent whitepaper.

“First, the processing and structuring of such huge volumes of data, including analysis of the complex relationships within it, is a problem almost impossible to address with manpower alone. Augmenting the machine with a reasonably capable human, means you’re more effectively armed than ever to reveal and respond to emerging threats,” Truvé wrote. “The second is automation — taking all these tasks, which we as humans can perform without a problem, and using the technology to scale up to a much larger volume we could ever handle.”

However, there’s the belief, too, that criminals will adapt to simply overload those alerts once more. McAfee’s Grobman previously pointed to a technique known as “raising the noise floor.” A hacker will use this technique to bombard an environment in a way to generate a lot of false positives to common machine learning models. Once a target recalibrates its system to filter out the false alarms, the attacker can launch a real attack that can get by the machine learning system.

5. Unauthorized access
An early example of machine learning for security attacks was published back in 2012, by researchers Claudia Cruz, Fernando Uceda, and Leobardo Reyes. They used support vector machines (SVM) to break a system running on reCAPTCHA images with an accuracy of 82 percent. All captcha mechanisms were subsequently improved, only for the researchers to use deep learning to break the CAPTCHA once more. In 2016, an article was published that detailed how to break simple-captcha with 92 percent accuracy using deep learning.

Separately, the “I am Robot” research at last year’s BlackHat revealed how researchers broke the latest semantic image CAPTCHA and compared various machine learning algorithms. The paper promised a 98 percent accuracy on breaking Google’s reCAPTCHA.

6. Poisoning the machine learning engine
A far simpler, yet effective, technique is that the machine learning engine used to detect malware could be poisoned, rendering it ineffective, much like criminals have done with antivirus engines in the past. It sounds simple enough; the machine learning model learns from input data, if that data pool is poisoned, then the output is also poisoned. Researchers from New York University demonstrated how convolutional neural networks (CNNs) could be backdoored to produce these false (but controlled) results through CNNs like Google, Microsoft, and AWS.

Officers raid IT worker’s flat on Cheung Chau and also seize two desktop computers, two laptops, one tablet, three hard disks and five mobile phones

A 30-year-old Hong Kong man was arrested in connection with cyberattacks in which the computers of two travel agencies in the city were hacked and their clients’ sensitive personal information held for ransom, with payouts in bitcoin sought last week.

The two travel agencies reported the incidents to police on January 1 and 2.

One bitcoin (HK$123,735 or US$15,819) was demanded as a ransom in each hacking case, according to police.

Officers from the force’s Cyber Security and Technology Crime Bureau raided a flat in the outlying island of Cheung Chau and arrested the man on Saturday.

During the operation, police seized two desktop computers, two laptops, one tablet, three hard disks and five mobile phones in the flat.

At lunchtime on Monday, police escorted the suspect to his workplace on Hoi Yuen Road in the Kwun Tong district of Kowloon to gather evidence.

ThePostunderstands the suspect, a computer technician, hacked into the computers of the agencies on New Year’s Day through security loopholes on their websites hours before the companies were hit with demands for a ransom to be paid in bitcoin.

“An email was sent to the persons in charge of the companies after the personal information of more than 20,000 customers was stolen from the computer servers of the agencies,” a police source said.

“The companies were told to pay in bitcoin in a newly opened account with threats that their customers’ data would be posted on the internet if the firms failed to pay on Saturday.”

The stolen information included customers’ names, identity card numbers and contact numbers but no credit card information was involved.

Officers from the Cyber Security and Technology Crime Bureau were understood to have worked around the clock and checked tens of thousands of log records to the servers to gather information.

“Investigations showed circuitous routes were used to hack into the computer servers, but officers eventually identified the suspect through his IP address,” another source said.

He said the man was nabbed at home on Cheung Chau hours before the payment deadline.

Officers would carry out a forensic examination of the victims’ computers and hard disks to gather information, he said.

At about 5pm on Monday, the suspect was still being held for questioning and had not been charged.

“We believe his motive was to look for money,” said bureau superintendent Swalikh Mohammed said.

Investigations were continuing and he did not rule out the possibility of further arrests.

“The cyber world is not a lawless place where criminals can hide. A majority of the laws applicable to the real world can also be applied to the internet,” he warned.

He said blackmail was a serious offence that carries a maximum penalty of 14 years in prison.

The company apologised to customers and promised it was taking steps to tighten cybersecurity.

The other agency, Big Line Holiday, said on Wednesday night that hackers might have broken into its database a day earlier and gained possession of some of its customers’ personal information.

The data was believed to include ID card numbers, home return permit numbers and phone numbers.

In a statement, Big Line said: “Our company attaches great importance to this incident and deeply apologises to the affected clients.”

Big Line, which has 13 branches and organises tours to mainland China and Asia, said it received a letter from perpetrators demanding a sum of money for the release of the information.

In November, one of the city’s largest travel agencies, Hong Kong-listed WWPKG Holdings, revealed that its customer database had also been hacked, putting at risk personal data such as ID card numbers and credit card information of some 200,000 customers.

The culprits had asked for a seven-figure ransom, to be paid in bitcoin, but the firm did not pay and instead called the police, who later managed to decrypt the data. Because of the hacking incident, all four of the agency’s branches -in Tsim Sha Tsui, Mong Kok, Causeway Bay and Sha Tin – were closed for a day.

The force recorded 653 cases of cybercrimes in 2005, the first year it began tracking such offences, and saw the number reach 5,939 in 2016, with financial losses hitting HK$2.3 billion.

After more than two decades, malware attacks have started to hit the corporate bottom line and to show significant losses in quarterly earnings reports. The shipping company Maersk, which was hit by ransomware WannaCry in May,reported a third quarter loss in 2017 of about $200- $300 million. A few weeks later the pharmaceutical companyMerck was hit by NotPetyaand reported a quarterly loss of around $200 million whileFedEd’s subsidiary TNT reported $300 million in lossesfrom the same outbreak. As a result, last spring’s viral ransomware attacks are causing organizations today to take another look at their current security and therefore may offer a silver lining.

“[Its] because of the high profile nature of these incidents and the exploits, business people –organizational leadership — are taking a keener interest in what’s happening in cybersecurity,” said Amit Yoran, Chairman and Chief Executive Officer of Tenable. “Maybe you have a sexy story around APT and nation-state actors. These events are all forcing a professionalization in our industry — they’redrivinga professionalization in our industry — that we haven’t seen before.”

Yoran said the 2017 ransomware attacks didn’t have to be so bad.

“The combination [of WannaCry and Petya] is a face palm moment,” Yoran said. “It’s all so prototypical of our industry. This is very basic stuff. It’s been around for a while. People have known about this for a while.” He added, “This is not like some super-elite hacker. Not some nation state, a sophisticated thing coming down. It’s the basic blocking and tackling that people just still don’t get, they still aren’t getting basic hygiene. People still aren’t going bounds checking. They’re still writing buffer overflows.”

As damaging as the attacks where for some, they may have had a positive effect for others. Yoran said Boards of Directors “today would be negligent to ignore cyber risk to the extent that they rely on technology which pretty much every enterprise does.”

Yoran has observed some organizations now going the extra distance with a security vendor, asking the vendor how the organization can better manage their own security program. These organizations want metrics. And want to know what can be done without putting the entire organization on the line.

“Cyber risk and technology risk are a core components of business risk today,” Yoran said. “Hey, if we’re accepting this business risk, then we want to mature our practices around cyber and that’s a trend that has started to evolve our industry a lot faster than it has been in the past.”

What will reduce the risks to organizations? It depends

“I’d say if somebody’s focused and you have a funded advisory who is focused on intent with any modicum of skill they are going to get into your environment,” Yoran said. “At that point how do you raise the bar? How do you make it more difficult for them? And how do you decrease your time to detection?”

So, given all that, is cybersecurity better today?

“Broadly, things are better — maybe too broadly,” Yoran added with a chuckle. “The risk today is probably higher than it’s ever been as organizations rely more on technology than they have before, as core processes and technologies get more and more complex, more and more interconnected. Complexity is the enemy of security.”

That and perhaps the threats today are more persistent?

“The threat actors are as or more aggressive than they’ve ever been,” Yoran said. “I think from that perspective things are probably worse off than we’ve seen in years past. I’d say for first time, though, there’s a light at the end of the tunnel. We can see a path to improvement, which is really driven by outside influence.”

Yoran said the vast majority of the high-profile breaches that occur actually rely on a fairly simple subset of exploits which are occurring out in the wild. And as more organizations exercise better hygiene – bring more professionalism to their cybersecurity programs — that will raise the overall protection against these threats, whether it is targeted or if somebody stumbles upon you as an exposed entity.

Speaking at the Irish Independent annual Dublin Information Sec cyber-security event taking place in Dublin today, Mike G, who helps organisations in their fight against cyber security and hacking, said that humans are very easily hacked.

Citing the hacking of US actress Jennifer Lawrence’s Apple iCloud, Mike G said that the hacking was done through the actresses’ password for iCloud being her dog’s name, and the fact that Ms Lawrence had posted a picture of her dog on Instagram – the hacker went from there and leaked photos apparently showing her in the nude on the internet.

Mike G, who describes himself as a pilot, engineer, and ethical hacker, described the various was in which hackers can gain information about a person or a company, including through social media, certain types of jobs – “sales people often give out everything” – and even job listings.

In a sobering talk, he listed spoofing texts, calls and emails among the ways in which people and companies can get hacked.

In addition he said that anything can get hacked including pins, biometrics, TVs, and even our fitbits.

However when a person’s phone can be taken over, it’s “huge” he said.

In what was a stark message to businesses, Mike G asked those present at the event whether their company would be able to recover if the competition had all of their data?

However, the news from the ethical hacker was not all bad.

Mike G and his team do a lot of forensic planning, providing, among other services, cyber security awareness training, and impact penetrating testing to show companies their weak spots and how these can be overcome.

SSH private keys are being targeted by hackers who have stepped up their scanning of thousands of servers hosting WordPress websites in search of private keys. Since Monday, security researchers said they have observed a single entity scanning as many as 25,000 systems a day seeking vulnerable SSH keys to be used to compromise websites.

“What triggered our concern was a customer who notified us that they have been monitoring their live traffic and seeing scans for SSH keys,” said WordFence CEO Mark Maunder, in an interview with Threatpost. “When we examined our own honeypots we found that this was not an isolated case and that 25,000 scans were taking place in waves each day.”

Those scans began on Monday and are ongoing, Maunder said and reported in a blog post. Adversaries are using terms such as “root,” “ssh,” or “id_rsa” in hopes of finding web directories containing private SSH keys, most likely mistakenly stored on public directories.

SSH (Secure Shell) is a cryptographic network protocol most often used for secure remote logins to remote computer systems. Successful theft of a private key would give a threat actor access to any server or system where that private key is used for authentication. That risk, security experts note, is not just limited to WordPress but also Linux and Unix systems and embedded devices that also rely heavily on SSH for secure logins and connections.

“Scanning for private SSH keys in public directories is not new. But, the type of increase we are seeing is alarming,” said Justin Jett, director of audit and compliance for Plixer.

He said, seldom are good SSH security practices followed. Unlike digital certificates that expire, SSH have no expiration date and passwords are seldom changed.

“What we find is most businesses and enterprises have no idea what SSH keys are or how to manage them,” said Venafi vice president of security strategy Kevin Bocek. “SSH is unfortunately a secret of systems administrators who create them and tend to them.”

Bocek said Venafi has also seen a recent increase in scanning for SSH keys and not only on public directories, but also in Git or SVN, or subversion, repositories.

Private keys should never be stored in publicly accessible directories. However, too often admins lose track of SSH keys and host both the public and private keys online.

“Exposed SSH keys pose a serious threat to organizations. Anyone gaining access to them has the ‘keys’ to the kingdom,” Jett said.

Earlier this week a report by Venafi disclosed that companies lacked sufficient SSH security controls. A study of 410 IT security professionals by the company found 54 percent of respondents said they do not limit the locations from which SSH keys can be used. It also found 61 percent of respondents do not limit or monitor the number of administrators who manage SSH.

A new variant of the aggressive “Locky” ransomware hits 20 million confirmed attacks in a single day, warns a cybersecurity firm.

Ransomware actors are sometimes incredibly sophisticated, demonstrating careful planning and methodical execution. Some hacker individuals or groups can launch large-scale attacks, casting the widest net possible to catch the maximum number of victims.

To protect yourself, it’s best to get familiar with the types of ransomware out there and how to avoid them.

Here are some figures to give you an idea of the massive scale on which ransomware operates:

Last year, ransomware spread increased by a staggering 500%, with email phishing as the most-used distribution method.
In a given month, ransomware infects 30,000-35,000 devices on average.
During the first 6 months of 2016, 300 new ransomware variants were developed. During the same period, an unknown ransomware actor made nearly $100 million USD in profits.
This year, profits generated through ransomware are expected to hit $1 billion USD.

Locky, a Sneaky Ransomware

First appearing in February 2016, Locky is ransomware, a type of malware that takes hostage all files by encrypting them and demanding a ransom from the victim to have their files returned unencrypted. Usually, with the proliferation of cryptocurrencies, hackers ask for ransoms to be paid in Bitcoin, for obvious reasons (learn more about Bitcoin anonymity here).

Like most ransomware, Locky infects a system via spam (email sent by a botnet), to which a .doc file is attached. These emails often come with a subject that reads: “ATTN: Invoice…”, with a message asking the payment of an invoice urgently.

If the victim clicks on the link, Locky will be quickly installed then it scrambles and renames all files with the extension “.locky” within a system, as well as files in other systems connected to the same network.

This ransomware also removes backup copies (shadow copies) of Windows which makes it impossible to recover files through this method.

Believed to be released by the same hackers who were behind Dridex ransomware in 2015, Locky has been spreading like wildfire across the web in 2017, evolving every now and then by using new sneaky distribution methods.

Just last month, it was revealed that a new version of Locky attacked millions of systems in just one day.

Locky’s Back With new Aggressive Variant

The threat, according to researchers at Barracuda Networks Advanced Technology Group, comes in the form of a new very aggressive version of the strain of ransomware known as Locky.

Per a Barracuda blog post, the attacks originate predominantly from Vietnam, but hotbeds include other countries across three continents, like India, Turkey, Colombia, and Greece, albeit in very low volumes as compared to those from Vietnam.

Barracuda analysts say that about 20 million of these attacks occurred in 24 hours, from the 18th to the 19th of September, and this figure was growing rapidly. Most of the spam emails claim to be from the “Herbalife company” or fake “copier file delivery”.

In an update, Barracuda said its researchers confirmed that the attacks use a variant of the Locky ransomware with a unique identifier. Identifiers are supposed to let hackers ID victims in order to send them tools to decrypt data after the ransom is paid.

This time, however, all victims have been assigned the same identifier, which means that even if victims pay the ransom they won’t receive decryption tools.

Barracuda also said its filters had blocked about 27 million Locky-related emails, adding that its researchers are actively monitoring the situation.

EdgyLabs readers, here’s what you can do if you fall a victim to a Locky or other ransomware attack:

Whatever you do, don’t pay the ransom because paying cybercriminals is tantamount to nourishing their behavior, unless of course there’s no other way to get your “critical” data back.

But in the case of this new vague of Locky attacks, as security researchers found out (same ID for all victims), just don’t bother, because you’re not getting decryption tools anyway whether the ransom was paid or not.

You can remove Locky ransomware using your average antivirus program. You can try to recover your encrypted data by restoring backup copies, but that’s not guaranteed with the new strain of Locky that deletes shadow copies.

Besides updating your antivirus and using spam filters, in the case of ransomware, remember to not open an attached file from suspicious emails of unverified origins and delete them.

But before all of that, make sure you use 3-2-1 data protection.

Use 3-2-1 Data Protection

3 copies of your data
2 separate types of media (tape, disk, deduplication)
1 offline and off-site copy
As always, whenever a hard data drive is compromised, it’s best to reformat the drive completely before using it again in the future.

Cyber attacks and security breaches are now a constant threat for businesses. Costing the global economy $450 billion in 2016, they’re now occurring with increased regularity, which in turn has forced businesses to focus more on cybersecurity protocols to protect their key data.

A report issued by Malwarebytes showed that over one billion Malware-based incidents manifested between June and November of 2016, and it’s expected that most of those incidents actually went unnoticed until they had breached a network.

A primary target for cybercriminals are the gaps found when big data files are stored, and following the introduction of the cloud, with its unlimited storage facilities, a new avenue has been opened for hackers to penetrate a system. Allowing for the storage of larger datasets in one place, which can then be simultaneously accessed by numerous people, it’s this transition from data centre storage to the cloud that cybercriminals are looking to target. If security protocols of a business are not enforced and up-to-date then a system can be breached.

However, it isn’t only big data storage systems that now harbor potential threats. Cybercriminals have now begun to utilize smartphones and wearable technology to breach a company network. With statistics showing that four out of five UK adults now own a smartphone, many of which access secure work WiFi networks on a daily basis, it has opened up as the next route that hackers are choosing to exploit.

As the threat from cybercriminals increases, businesses can’t take data security lightly, as cybercriminals are constantly finding new ways to access a system.

Detecting a threat as soon as it penetrates a security firewall is not an easy task by any means, and when a breach does happen there’s no simple fix. They are, however, manageable, and it’s data analytics that has become the newest line of security to help stop threats and increase protection.

A recent survey found that 53% of businesses use data analytics to detect high-security threats to their business. This is a figure which should increase, as findings from a report by the Ponemon Institute shows that an organisation is 2.25 times more likely to recognise a threat within hours or minutes if they implement data analytics.

What is data analytics?

The process of data analytics involves data specialists examining large sets of data to uncover anomalies that are not normally seen by the naked eye. Analysts will sift through data searching for unknown correlations in figures or hidden patterns, and from the information collected, they’re able to perform a comprehensive analysis, and use their findings to identify and deter cyber attacks.

To identify if and when a security breach may happen, analysts will apply predictive analysis techniques to data when it’s under examination. Using statistical methods such as predictive modelling, it enables analysts to use statistics to predict potential outcomes. Partnered with data mining, in which analysts sift through large amounts of historical data, they are then able to cross-examine it with real-time data in order to firm up their predictions.

If a threat area is identified, security protocols will then be implemented, alongside algorithms relevant to the data type or structure which are placed in the development code. This should then close the vulnerability and stop firewall breaches instantaneously.

What can it do for your business?

Despite the ability for data analytics to offer a solution to a daily problem, it’s still something that hasn’t been put to full use by businesses. But with software now available that can be used to aid analysis of larger datasets such as Hadoop, it’s becoming a more mainstream solution.

The data gathered during the analytics process will provide a business with a better understanding of cyber attacks arming them with the correct tools to ultimately stop them from happening. It also allows IT security teams to protect businesses from the inside out.

Larger organisations often have an in-house team constantly monitoring security. But for smaller businesses, there are still options to increase your security protocols. Systems such as managed security service providers offer some network security management, which can be used if your business simply doesn’t have the resources to hire a large team of experts.

Data analytics can also help to quash the potential threats from inside your organisation. Using a security information and event management system (SIEM), businesses are able to monitor devices that are connected to the network, and through the data collected, if a security risk is identified it can be halted.

Implementing data analytics is a practice that every business can use to protect themselves against cyber attacks, increasing their front line of defence, the information collected can help improve security on a business network, and could – in the future – mean an end to the unpredicted breaches to security systems.

FormBook is the new malware from attackers targeting manufacturing, defense, and aerospace firms in the South Korea and the United States.

According to the expert FireEye researchers, Formbook was identified in numerous distribution campaigns attacking the U.S. with emails containing unauthentic XLS, DOC, or PDF files. Even similar attacks from FormBook have been identified in South Korea through emails containing malicious files in ZIP, ACE, ISOS, and RAR formats.

With functional payloads, Formbook creates grabber to steal the data, the same being advertised in various hacking forums since 2016. Keylogging, tracking HTTP/SPDY/HTTPS/HTTP2 forms, network requests, stealing passwords from the browsers, email clients, clipboard monitoring, and taking screenshots are some of the prominent capabilities of FormBook.

There have been wide assortments of distribution mechanisms leveraged by the attackers of such email campaigns to distribute the information from FormBook malware, as posted on 9th October 2017 on the australiandefence.com.

As confirmed by the FireEye experts, an important and exclusive feature of this malware is that is can read ‘Windows ntdl.dll module’ to memory from the disk. This is the exported function of the FormBook making ineffective the API monitoring and user-mode hooking mechanisms.

There is a self-extracting RAR file that delivers the payload execution to the FormBook. During the instigation of launch,an AutoIt loadersrun and compile the script. This script decrypts the files from FormBook payload into a memory and then carry the execution process, confirm the researchers.

But overtime the researchers have identified that FormBook can also download NanoCore, which is a remote access Trojan or RAT that was first witnessed in 2013 and readily sold on the web. Taylor Huddleston, the author of the same was arrested for this in March 2017.

Besides the United States and South Korea, the malware has targeted other countries, such as United Kingdom, France, Poland, Ukraine, Hungry, Russia, Australia, Germany, and Netherlands.Even the archive campaign has hit the prominent countries of the world like United States, Belgium, Japan, Saudi Arabia, France, Sweden, Germany, and India.

The FormBook holds the potential to hit Windows devices, and hence it has become an urgent need for the high-end institutions to look to a more secure solution and upgrade their Windows operating system. As for now, it is announced strictly to not open any suspicious emails or click on unidentified links or download any unknown attachments from any unrecognized email address.

Source: National Cyber Security – Produced By Gregory Evans SALT LAKE CITY — Digital security breaches that impact megacompanies like Equifax, Sony or Yahoo tend to dominate headlines when they occur, but it’s far more common for small businesses to fall victim to cybercriminals and, when they do, the results are typically far more catastrophic. […]
View full post on AmIHackerProof.com | Can You Be Hacked?

Whilst some software systems completely change the game in a positive way, other software can do a lot of costly damage to any organization, including physical damage. Though some of the damage may only affect the transfer of sensitive data from one unauthorized location to another, there are some security…